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Abstract 

An important subcase of the hidden subgroup problem is equivalent 
to the shift problem over abelian groups. An efficient solution to the lat- 
ter problem would serve as a building block of quantum hidden subgroup 
algorithms over solvable groups. The main idea of a promising approach 
to the shift problem is reduction to solving systems of certain random dis- 
equations in finite abelian groups. The random disequations are actually 
generalizations of linear functions distributed nearly uniformly over those 
not containing a specific group element in the kernel. In this paper we 
give an algorithm which finds the solutions of a system of N random lin- 
ear disequations in an abelian p-group A in time polynomial in N, where 
N — log°( q '\A\, and q is the exponent of A. 



1 Introduction 

In [5J [5] the following computational problem emerged as an important ingredi- 
ent of quantum algorithms for the hidden subgroup problem in solvable groups. 
Below A stands for an abelian group and c is a real number at least 1. 

Random Linear Disequations(^4, c) - search version 
Oracle input: Sample from a distribution over characters of the fi- 
nite abelian group A which is nearly uniform with tolerance c on 
characters not containing a fixed element u in their kernels. 
Output: The set of elements u with the property above. 

A character of A is a homomorphism x from A to the multiplicative group 
of the complex numbers. The kernel ker% of x is the set of the group elements 
on which x takes value 1. The characters of A form a group A* where the 
multiplication is defined by taking the product of function values. It is known 
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that A* is actually isomorphic to A. By near uniformity we mean that the 
distribution deviates from the uniform one within a constant factor expressed 
by the parameter c. The formal definition is the following. We say that a 
distribution over a finite set S is nearly uniform with a real tolerance parameter 
c < 1 over a subset S' C S if Pr(s) = if a € S\S' and l/c\S'\ < Pr(s) < c/\S'\ 
for s £ S'. If u is in the expected output than so is w* where t is relatively prime 
to u — these are the elements which generate the same cyclic subgroup as u. The 
output can be represented by any of such elements. The input is a sequence 
of random characters drawn independently according to the distribution. For 
an algorithm working with this kind of input we can interpret an access to an 
input character as a query. 

We assume that group elements and characters are represented by strings 
of 0(log|j4|) bits. Note that it is standard to identify A* with A using a du- 
ality between A and A* obtained from fixing a basis of A as well as choosing 
appropriate roots of unity. We may assume that characters are given that way. 

The name Random Linear Disequations is justified by the following. 
Assume that A = Z™ where p is a prime number. Then fixing a p^ root 
of unity gives a one-to one correspondence between the characters of A and 
homomorpisms from A to the group Z p . If we consider A as a vector space over 
Z p (considered as a field) then these homomorphisms are actually the linear 
functions from A to Z p . The task is to find the elements of A which fail to 
satisfy any the homogeneous linear equations corresponding to the functions. 

We will show that search problem Random Linear Disequations (A, c) is 
in time poly(log \A\ + exp (A)) reducible to the following decision version - over 
subgroups A' of A and with slightly bigger tolerance parameter d = 2c. 

Random Linear Disequations(A', c') - decision version 
Oracle input: Sample from a distribution over A'* which is 

- either nearly uniform on characters not containing a fixed element 
u in their kernels. 

- or nearly uniform on the whole A'* . 
Task: Decide which is the case. 

The reduction is based on the following. If A' is a subgroup of A and we 
restrict characters of A to A' then we obtain a nearly uniform distribution 
characters of A' not containing u in their kernels. If u ^ A' this is a nearly 
uniform distribution over all characters of A' . 

A possible solution of the decision problem could follow the lines below. If 
the distribution is uniform over all characters then the kernels of the characters 
from a sufficiently large sample will cover the whole A'. Therefore a possible way 
to distinguish between the two cases is to collect a sufficiently large sample of 
characters and to check if their kernels cover the whole group A' . Unfortunately, 
this test is coNP-complete already for A' = Zg . Indeed there is a straightforward 
reduction for non-colorability of graphs by 3 colors to this problem. 

In this paper we propose a classical randomized algorithm solving Random 
Linear Disequations in p-groups. The method is based on replacing the 
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covering condition with a stronger but much more easily testable one which is 
still satisfied by not too many uniformly chosen characters. The running time is 
polynomial in log|^4| if the exponent of A is constant and apart from the random 
input the algorithm dies not require any further random bits. 

The structure of this paper is the following. In Section [5] we briefly sum- 
marize the relationship between Random Linear Disequations and certain 
quantum hidden subgroup algorithms. Readers not interested in quantum al- 
gorithms may skip this part. In Section [3] we prove that the search version 
in general abelian groups is reducible to the decision problem in groups of the 
form ZJ^. We describe an algorithm for p-groups in Section 0J We conclude 
with some open questions in Section [5] 

2 Background 

One of the most important challenges in quantum computing is determining 
the complexity of the so-called hidden subgroup problem (HSP). This paradigm 
includes as special cases finding orders of group elements (e.g., in the mul- 
tiplicative group of the integers modulo a composite number as an important 
factorization tool), computing discrete logarithms and finding isomorphisms be- 
tween graphs. Shor's seminal work [12] gives solutions to the first two problems 
and essentially the same method is applicable to the commutative case of the 
HSP. For the HSP in non-commutative groups (this includes the third problem 
mentioned above), there are only a few results. Roughly speaking, all the groups 
in which hidden subgroups can be found efficiently by present algorithms are 
very close to abelian ones. 

In [51 [5] we showed that an efficient solution to the following algorithmic 
problem can be used as an important tool for finding hidden subgroups in solv- 
able groups. 

Hidden Shift 

Oracle input: Two injective functions /o,/i from the abelian group 
A to some finite set S such that there is an element ^ u € A 
satisfying fi(x) — fo(x + u) for every iei. 
Output: u. 

Here the oracles for /j are given by unitary operations Ui which, on input 
|x)|0) return \x)\fi(x)). We note that Hidden Shift on A is equivalent to 
the most interesting subcase of the hidden subgroup problem in the semidirect 
product A xi Z2, where the non- identity clement of Z2 acts on A as flipping signs 
and the hidden subgroup is a conjugate of Z 2 . We refer the reader interested in 
this connection to [10] for the definition of semidirect products. 

The semidirect products of the form above include the dihedral groups D n 
of order 2n: these are the semidirect products of the cyclic groups Z„ by Z2. 
In [3] a two-step procedure is proposed for solving the dihedral hidden subgroup 
problem. The procedure consists of a polynomial time (in log n) quantum part 
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and an exponential classical post-processing phase without queries. The current 
best dihedral hidden subgroup algorithm [9] has both query and computational 
complexity exponential in y / Iogn. 

In [2] variants of the hidden shift problems with not necessarily injective 
functions are considered. Some special cases - related to multiplicative number 
theoretic characters - are shown to be solvable in polynomial time while the 
most general case has exponential quantum query complexity. This is not the 
case for our definition of the hidden shift problem as it is equivalent to a hidden 
subgroup problem which has polynomial query complexity by [4]. 

In [6] the following approach is proposed for solving Hidden Shift in 
certain special cases. It is based on the following procedure which is actually a 
version of the usual Fourier sampling in the group A x Z2 (rather then in A x Z2 ) . 
See [7] for a description of quantum Fourier sampling in abelian groups. 

Half-Fourier sampling 

1. Create state 

y \x)\i)\o) s . 

^/2\A\ ^ s 



x£A,i£{0,l} 

2. By querying /j, create state 



-2= £ i*>ioi/i(*)>. 

V Z l^l xeA ,ie{0,l} 



3. Measure the third register. If the measured value is fo(x), the sate of the 
first two registers is 

-j=(]x)\0) + \x + u)\l)). 

4. By computing the quantum Fourier transform of A x Z2 , obtain state 

t4= E ((x(x)+x(x + u))\x)\0) + (x(x)-x(x + u))\ X )\1)). 

5. Measure and output the first register if the second register contains bit 1. 
Otherwise abort. 

The probability of obtaining character x as result of their procedure is 

1 \x(x) - X.(x + u)\ 2 _ \l - X {u)\ 2 

\A\* ^ 4 i\A\ ■ { ) 

Note that the probability of that the procedure does not abort is 

\^ \1-X(u)\ 2 1 \^ - 1 
E 4|^| = ^A\ E( 2 -^-xW) = 2, 



4 



where the last equality follows from the orthogonality relations (for the columns 
of the character table of A) which give J2 X <=A' x( u ) — as u ^ 0. 

Obviously, the probability given by ([T]) is nonzero if and only if u is not con- 
tained in the kernel of the character \. The strategy for finding u is determining 
the subgroup generated by u first from the characters obtained by the proce- 
dure above. This reduces Hidden Shift to an instance where the Abelian 
group is cyclic. This special instance is in turn equivalent with the dihedral 
hidden subgroup problem which we can solve by an exhaustive search or even 
with Kuperberg's more efficient approach. (Note, however, that the complexity 
of our present method for finding the subgroup generated by u dominates the 
complexity of the whole procedure in both cases.) 

Actually we only notice the subgroup of A* generated by the characters 
X observed. Equivalently, we can equalize the probability of characters that 
generate equal subgroups of A* as follows. If character \ occurs as a result of 
the procedure then we draw uniformly a number < j < m which is prime to 
the exponent m of A and replace x with x 3 ■ We show below that we obtain a 
distribution which is nearly uniform on the characters x such that x( u ) 7^ 1- 

Lemma 1. Let oj be a primitive tUq 1 root of unity, let m be a multiple of mo 
and let mi be the product of the prime divisors of m. Then 

' } otherwise, 

0<j<m,(j,m) = l 

where <f> is Euler's totient function and [i is the Mobius function. 

Proof. For k\m we define f(k) — X)i<j<fc (j fc)=i . Then for every k\m we 
have Ylj=i uj2 ^° = Ed|fe/(^)- (This follows from the fact that every positive 
integer j < k can be uniquely written in the form j '■ — k x j' where d\k, 1 < 
f < d and (j',d) = 1.) Let F(k) = J2d\kf( d ) for k \ m - Then > b y the Mobius 
inversion formula, f(m) = J2d\m ^(^^W- We know that F(d) = d if = 1 
and F(d) = otherwise. Hence the product /j,{ ! j)F(d) is nonzero if and only 
if mo|fK. Therefore f(m) = E^| d |^ )* = ^ K^K = 

[i(mn)— Edi "'i [i( mi ^ m ° )d, if m \mi and f(m) — otherwise. We conclude 
by observing that if £ = pi ■ ■ -p r where the piS are pairwise distinct primes then 

E d \^( L d )d = E/c { i,..., r} (-i) £H/| iiieiPi = nufe - 1) - m- □ 

Lemma 2. Let 1 ^ oj be an m th root of unity. Then 

-<— ^ y \i-^\ 2 <2. 

2 ~ 2d>(m) *-f 

0<j<m,(m,j) = l 

Proof. Let mo be the order of to and let mi be the product of the prime divisors 
of m. Observe that \l-^\ 2 = 2-w*-uS. Therefore Eo<j<m,{m,i=i) I 1 " 

uj j \ 2 = Eo<j<m,(m,j=i) ^ ■ B y LemmalU the sum on the right hand side 
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is zero unless mo\mi. If mo|mi then that sum has absolute value ■^4>(^)- 
The assertion for m > 2 follows from 4>(m) = ^4>(m\) = ^-(^(mo)^^ 1 ) > 
2J?L ( h(m.). If mo = 2 then u = -1 and the sum Is' 2. ' " l ° □ 

mi r v mo J u 

From Lemma [2] we immediately obtain the following. 

Proposition 1. Let /o,/i : A — ► S be an instance of Hidden Shift in a 
finite abelian group A with solution u. Then, if we follow Half-Fourier SAM- 
PLING by raising the resulting character to j power where j is a random in- 
teger prime to the exponent of A we obtain an instance of RANDOM LINEAR 
DlSEQUATIONS(A, 2). 

Proof. Let m stand for the exponent of A. Then by (JTJ) , the probability of x m 
the resulting distribution is 



Vy 11 ' U,m) = l 



il 2 



By Lemma [21 this probability is between ^p-j and ^ . □ 



3 Reductions 

In this section we show that the search version of Random Linear Disequa- 
tions is reducible to its decision version in abelian groups of the form ZJ^. 

For a finite abelian group A we denote by A* its character group. Assume 
that H is a subgroup of A. Then taking restrictions of characters of A to H 
gives a homomorphism form A* onto H* . The kernel of this map is the set 
of characters which contain H in their kernels. This set can be identified with 
the character group (G/H)*. It follows that every character of H has exactly 
\(G/H)*\ extensions to A. It follows that if a distribution is nearly uniform on 
characters of A then restriction to H results in a nearly uniform distribution 
over characters of H with the same tolerance parameter. 

The same holds in the reverse direction: taking uniformly random extensions 
of characters of H to A transforms a nearly uniform distribution over H* to a 
nearly uniform distribution over A* with the same parameter. And a similar 
statement holds for distributions nearly uniform on the characters of H which 
do not contain a specific u G H in their kernels. 

For restricting characters of A not containing the element u G A in their 
kernel we have the following. 

Lemma 3. Let H be subgroup of a finite abelian group A, let x be a character 
of H and let u £ A. Then the number of characters of G extending x such that 
X(u) ^ 1 is 

( \G : H\(k - l)/k ifk = k 
\ \G:H\ ifk <k, 

where k is the smallest positive integer such that k ■ u G H and x(k ■ u) = 1 and 
ko is the smallest integer such that ko ■ u £ H . 
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Proof. If ko < k then x(kou) ^= 1 therefore tp(u) ^= 1 for every ip extending \ to 
G. Assume that ko = k. Let A' be the subgroup of A generated by H and u and 
let K = {x e H | x(x) = 1}. Then every character of G extending \ takes value 
1 on K, therefore it is sufficient to consider the characters of A' /K extending 
the characters of H/K. Equivalently, we may assume that K = 1, and k is the 
order of u. Then A' is the direct product of the cyclic group generated by u 
and H . In this case there exists exactly one character of G extending \ which 
take value 1 on u. Thus there are ^-\A'/H\ characters of A' with the desired 
property extending \ an d each of them has |A/^4'| extensions to A. □ 

Assume that we have an instance of the search version of Random Linear 
Disequations(A, c) with solution u <E A. Then, by the lemma above, restrict- 
ing characters of A to H gives an instance of the search version Random Linear 
DiSEQUATlONS(if, 2c). This gives rise to the following. 

Proposition 2. Let A be an abelian group and let p be the largest prime factor 
of \A\. Then, for every number c > 1, the search version of Random Linear 
Disequations(A, c) is reducible to 0{p ■ polylog|yl|) instances of the decision 
version of Random Linear DiSEQUATiONS(.ff, 2c) over subgroups H of A in 
time poly(p • log|A|). 

Proof. The first step of the reduction is a call to the decision version of Random 
Linear Disequations(^4, c). If it returns that the distribution is nearly uni- 
form over the whole A* then we are done. Otherwise there is an element m£j4 
such that the probability of drawing \ e A* is zero if and only if x(u) = 1- We 
perform an iterative search for the subgroup generated by u using Random Lin- 
ear Disequations over certain subgroups U of A. Initially set U — A Assume 
first that U is not cyclic. Then we can find a prime q such that the g-Sylow sub- 
group Q of U (the subgroup consisting of elements of U of g-power order) is not 
cyclic. But then the factor group Q /qQ is not cyclic either and we can find two 
subgroups Mi and M 2 of Q of index q in Q such that the index the intersection 
M = Mi n M 2 in Q is q 2 . This implies Q/M = I? q . Let Q' be the complement 
of Q in G. (Recall that Q' consists of the elements of G of order prime to q.) 
Let N = M + Q'. Then M = N n Q and G/N S Q/(N n Q) = Q/M = I? q . 
The group l? q has q + 1 subgroups of order q: these are the lines through the 
origin in the finite plane l? q . As a consequence, there are exactly q+l subgroups 
Ui, . . . , U q+ i with index q in G containing N. Furthermore, we can find these 
subgroups in time polynomial in log|G| and q. Note that G = U\ U . . . U U q +\. 
Therefore, by an exhaustive search, using the decision version of Random Lin- 
ear DiSEQUATlONS(Z7i) for i = 1, . . . , q+ 1, we find an index i such that u e Ui. 
Then we proceed with Ui in place of U. In at most log | C | rounds we arrive 
at a cyclic subgroup U containing the desired elements u. If C/ is cyclic then 
the maximal subgroups of U are U\,...,Ui where the prime factors of \U\ are 
Pi, . . . ,pi and Ui — PiU. Again using the decision version of Random Linear 
DiSEQUATiONS([/i) for i = 1, we cither find a proper subgroup Ui contain- 
ing the solutions u or find that the solutions cannot be contained in any proper 
subgroup of U. In the latter case the required subgroup is U. □ 
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Finally, for the decision problem we have the following. 

Proposition 3. Let A = Z mi © ... © Z mn be a finite abelian group of exponent 
m. (So m is the least common multiple of mi, . . . ,m n .) Then, for every real 
number c > 1, Random Linear Disequations(A, c) is reducible to Random 
Linear Disequations(Z™ i; c) in time poly log A. 

Proof. We can embed A into A' = Z™ as ;^Z m © . . . © ^-Z m . We replace a 
character of A with a random extension to A 1 . As every character of A has 
extensions, this transforms an instate of Random Linear Disequations(A, c) 
to Random Linear Disequations^', c). □ 

4 Algorithms for p-groups 

In this section we describe an algorithm which solves the decision version of 
Random Linear Disequations in polynomial time over groups of the form 
Z™ fc , for every fixed prime power p k . 

For better understanding of the main ideas it will be convenient to start 
with a brief description of an algorithm which works in the case k = 1. This 
case is - implicitly - also solved in [5] and in Section 3 of [5]. Here we present 
a method similar to the above mentioned solutions. The principal difference is 
that here we use polynomials rather than tensor powers. This - actually slight 
- modification of the approach makes it possible to generalize the algorithm to 
the case k > 1. 

For the next few paragraphs we assume that k = 1, i.e., we are working on 
an instance of Random Linear Disequations over the group A = Z™. We 

choose a basis of A, and fix a primitive p root of unity ui. Then characters of 
A are of the form Xx, where x € G and for y € A the value Xx{y) is cu x ' y , where 
x ■ y = Y^i=i x iVi- (Here Xi and yi are the coordinates of x and y, respectively, 
in terms of the chosen basis. Note that, as u> p = 1, it is meaningful to consider 
x ■ y as an element of Z p .) 

Using this description of characters, we may - and will - assume that the 
oracle returns the index x rather than the character \x itself. We also consider A 
as an n-dimensional vector space over the finite field Z p equipped with the scalar 
product x ■ y above. The algorithm will distinguish between a nearly uniform 
distribution over the whole group A and an arbitrary distribution where the 
probability of any vector orthogonal to a fixed vector ^ u is zero. 

We claim that in the case of a distribution of the latter type there exists 
a polynomial Q g Z p [xi,.. ., x n ] of degree p — 1. such that for every x which 
occur with nonzero probability we have Q(x) = 0. Indeed, for any fixed u with 
the property above, (J^ UiXiY' 1 — 1 is such a polynomial by Fermat's little 
theorem. 

On the other hand, if the distribution is nearly uniform over the whole 
group then, for sufficiently large sample size TV, with high probability there 
is no nonzero polynomial Q € Z p [xi , . . . , x n ] of degree at most p — 1 such 
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that Q(aW) = Q(a[ l \ . . . , a n (i)) = for every vector from the sample 
a W...,aW. 

This can be seen as follows. Let us consider the vector space W of poly- 
nomials of degree at most p — 1 in n variables over the field Z p . Substituting 
a vector a = (a±, . . . ,a n ) into polynomials Q is obviously a linear function on 
W. Therefore for any N± < N, the polynomials vanishing at . . . , a^ Nl ^ 
is a linear subspace Wn-i of W . Furthermore, by the Schwartz-Zippel lemma 
[TT| H3] , the probability of that a uniformly drawn vector a from Z™ is a zero of 
a particular nonzero polynomial of degree p—l (or less) is at most (p — I) /p. 
This implies that with probability proportional to 1/cp, the subspace Wn x +i is 
strictly smaller than Wn x unless Wn x is zero. This implies that, if the sample 
size iV is proportional to p ■ dim W then with high probability, Wn will be zero. 
Also, we can compute Wn by solving a system of N linear equations over Z p in 
dim W = ( n+ £ -1 ) = variables. 

Note that the key ingredient of the argument above - the Schwartz-Zippel 
bound on the probability of hitting a nonzero of a polynomial - is also known 
from coding theory. Namely we can encode such a polynomial Q(x) = Q(x\ , . . . , x n ) 
with the vector consisting of all the values P(a) = P(oi, . . . , o„) taken at all the 
vectors a = (ai, . . . ,a n ) in Z™. This is a linear encoding of W and the image of 
W under such an encoding is a well known generalized Reed-Muller code. The 
relative distance of this code is (p — I) /p. 

We turn to the general case: below we present an algorithm solving Random 
Linear Disequations in the group A = Z\ where k is a positive integer. 
Like in the case k = 1, the characters of the group A = Z™ fc can be indexed by 

th 

elements of A when we fix a basis of A and a primitive p k root of unity ui: 
Xx{y) = oj x ' v , where x ■ y is the sum of the product of the coordinates of x and 
y in terms of the fixed basis. Again, we can consider x ■ y as an element of Z p t . 
In view of this, it is sufficient to present a method that distinguishes between a 
nearly uniform distribution over Z™ fc , and an arbitrary one where vectors which 
are orthogonal to a fixed vector m^O have zero probability. 

The method is based on the idea outlined above for the case k = 1 com- 
bined with an encoding of elements of Z p k by fe-tuples of elements of Z p . The 
encoding is the usual base p expansion, that is, the bijection S : YljZo a jP^ l— ¥ 
(do, . . . , ajt-i). We can extend this map to a bijection between Z™ fc and Z p ra in 
a natural way. 

Obviously the image under S of a nearly uniform distribution over Z™ fe is 
nearly uniform over Z p ™ . In the next few lemmas we are going to show that for 
every O^tiG Z p ' fc there is a polynomial Q of "low" degree in kn variables such 
that for every vector a € Z™ fc not orthogonal to u, the codeword 5(a) is a zero 
of Q. 

We begin with a polynomial expressing the carry term of addition of two 
base p digits. 

Lemma 4. There is a polynomial C(x,y) G Z p [x, y] of degree at most 2p — 2 



9 




such that for every pair of integers a,b € {0, . . . ,p — 1}, C(a, b) — if a + b < p 
and C(a, b) — 1 otherwise. 

Proof. For i S {0, . . . ,p— 1}, let G Z p [z] denote the Lagrange polynomial 

II,,. , "- - - j)- We have Li(i) = 1 and L^j) = for j ^ i. Define 

= E <i,j<p : i+i> P L i( a; )- L i(y)- n 

Using the carry polynomial C(x, y) we can also express the base p digits of 
sums by polynomials. 

Lemma 5. For every integer T > 1, t/iere exisi polynomials Qi from the 
polynomial ring Z p [3/1,0, • • • , Vi,k-i, ■ ■ ■ , Vt,o, ■ ■ ■ , VT,k-i], (i = 0,...,k-l) with 
degQi < (2p — 2) 1 such that 



mod p k = (Qo(6(ai), 6(a T )), Q fc -i(6( a i), ■■■> S(ot))) 



for every ai,...,ar € Z p fc . 

Proof. The proof is accomplished by induction on fc. For fc = 1 the statement is 
obvious: we can take Qo = Y^t=i Vt,o- Now let fc > 1. Again set Q = Y^t=i Vt,o 
and for t = 2, . . . , T set C t = C f (X^-=i Vj,o),yt,o) ■ Then for every oi, . . . , a T € 
'Lpk , the digits So, . . . , Sfc_i of the sum s = Y^t=i a t mod p k satisfy 

so = Qo(ai,o, ■ ■ ■ ,a n ,o) mod p, 

fc-l T T 

Y s ^ ~ 1 = L a * Ip\ + H c * mod p fe - 1 , 

3=1 t = l t=2 

where c t = Ct(ai,o, • ■ ■ , ctt.o)- In other words, the th digit of the sum s is a 
linear polynomial in a^o, and, for 1 < j < k — 1, the j th digit is the (j— 1) 
digit in the RHS term of the second equation. There we have a sum of 2T — 1 
terms and each digit of each term is a polynomial of degree at most 2p— 2 in the 
a t j. Therefore we can conclude using the inductive hypothesis applied to that 
(longer) sum. □ 

Recall that we extend 8 to Z™ fc in the natural way. To be specific, for a = 

(ai, . . . , a n ) £ Z" fc we define 8(a) S 1 kn as the vector (a^o, ■ ■ ■ , a n ,fe_i) S Z^" 

where a,j is the j th coordinate of <5(<z,) S Z p . We can express the digits of the 
scalar products of a vector from Z" fc with a fixed one as follows. 

Lemma 6. For every u S Z™ fc , f/iere eiist polynomials Qi £ r L p \xi t Q, . . . , x n>m -\[ 
of total degree at most (2p — 2) 1 , for i — 0, . . . , fc — 1, such that 8 (a ■ u) — 
(Qo(S(a)), Qk-i{8{a))) for every a S 1 n pk . 

Proof. The statement follows from Lemma [5] by repeating itj times the coordi- 
nate Xi, and taking the sum of all the terms obtained this way modulo p k . □ 
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In order to simplify notation, for the rest of this section we set Xj p +i — x%j 
(j = 0, . . . , k— 1, i = 1, . . . , n). For every positive integer D, let 7L®\x\, . . . , x n k) 
be the linear subspace of polynomials of Z p [xi, . . . , x n k] whose total degree is 
at most D and partial degrees are at most p— 1 in each variable. W 

Together with Fermat's little theorem, the previous lemma implies a poly- 
nomial characterization over Z p of vectors in Z™,. that are not orthogonal to a 
fixed vector u £ Z™ fc . 

Lemma 7. Let D = ^"^^p-^ ~ 1 ) . p r every u £ Z" fc , there exists a poly- 
nomial Q u £ ^p[xi, ■ ■ ■ , Xnk] such that for every a £ Z™ k , O'U / mod p k if 
and only if L S { a ) ■ Q u = 0- 

Proof. Let Q — YljZo (Q P j ~~ 1 — 1 ) i where the polynomials Qj come from LemmalHJ 
This polynomial has the required total degree. To ensure that partial degrees 
are less than p—1, we replace x\ terms with Xi until every partial degree is at 
most Let Q u be the polynomial obtained this way. Then Q u and Q 

encode the same function over Z™ fc . Therefore, since ■ Q u — Q u (S(a)), the 
polynomial Q u satisfies the required conditions. □ 

It remains to show that if N is large then with high probability, for a sample 
ai, . . . , cl 7v taken accordingly to a nearly uniform distribution over Z™ fc , there is 
no nonzero polynomial in Z^ [x±, . . . , x n k] vanishing at all the points a\, . . . , on 
where D is as in Lemma [7] Furthermore, we also need an efficient method for 
demonstrating this. 

To this end, for every a £ Z™ fc , we denote by £ a the linear function over 
polynomials in Z^[xi, . . . ,x n k] that satisfies £ a (Q) — Q(a). Deciding whether 
the zero polynomial is the the only polynomial in Z^* [xi , . . . , X n k] such that 
^atiQ) — amounts to determining the rank of the the N x A matrix whose 
entries are £ ai (M) where M runs over the monomials in Z^[xx, . . . , x n f-]- Here 
A stands for the dimension of Z^[xi, . . . ,x nk \. Note that A < ( kn + k ^ 1 )- 

The image of the space Z^[xx, . . . ,% n k] under the linear map L : Q i— > 
(£a(Q))a£Z™ k is known as a generalized Reed-Muller code with minimal weight 
at least (p— s)p nk ~ r ~ 1 < p nk -\ D /&- 1 )^ , where r,s are integers such that < 
s < p - 1 and Max{D, (p - l)nk} = r(p - 1) + s cf. pQ. For N x < N, let W Nl 
stand for the subspace of polynomials in Zp[x\, . . . ,x n k] vanishing at all the 
points oi, . . . , ajv"i- The minimal weight bound above gives that for N± < N, 

Pr(w Nl+1 < w Nl \w Nl ^o) > I. p -ro/(p-i)i. 

c 

Here c is the parameter of near uniformity. The formula above implies that if 
N = 0(c P ^ D ^ dimZ^r, . . .,x nk \) = c(pnk)°W, 

then with probability at least 2/3, Wn will be zero - provided that we have a 
nearly uniform distribution with parameter c. (In the second bound we have 
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used that D = (p- 1 )^- 2 )" H = 0((2p) k ). Together with the remark on rank 
computation this gives the following. 

Theorem 1. Random Linear DiSEQUATiONS(Z^ fc , c) can be solved in time 

c(pnk)°(( 2p ^ ) with (one-sided) error 1/3. In particular, for every fixed prime 
power p k , and for every fixed constant c, RANDOM LINEAR DlSEQUATlONS(Zp fc , c) 
can be solved in time polynomial in n. 

□ 

5 Concluding remarks 

We have shown that for any fixed prime power p k , the problem Random Linear 
Disequations over the group Z™ fc can be solved in time which is polynomial in 
the rank n. Actually if we let the exponent p k grow as well then our method runs 
in time polynomial in the rank n but exponential in the exponent p k . Note that 
a brute force algorithm which takes a sample of size 0(knp k \ogp) (the kernels 
that many random characters cover the whole group with high probability) 
and performs exhaustive search over all the the elements of Z" fe runs in time 
^jfcn-jO(i) -^jph j s polynomial in the exponent p k and exponential in n. It would 
be interesting to know if there exists a method which solves Random Linear 
Disequations in time polynomial in both n and p k . 

Also, the method of this paper exploits seriously that the exponent of the 
group is a prime power. Existence of an algorithm for RANDOM Linear Dise- 
quations in Z^ of complexity polynomial in n for fixed m having more than 
one prime divisors appears to be open, even in the smallest case m = 6. 
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